Improper Privilege Management
|ID: 269||Date: (C)2012-05-14 (M)2020-01-25|
|Type: weakness||Status: INCOMPLETE|
|Abstraction Type: Base|
The software does not properly assign, modify, track, or check
privileges for an actor, creating an unintended sphere of control for that
Likelihood of Exploit: Medium
Applicable PlatformsLanguage Class: All
Time Of Introduction
- Architecture and Design
Related Attack Patterns
|Access_Control ||Gain privileges / assume
identity || |
|Architecture and DesignOperation || ||Very carefully manage the setting, management, and handling of
privileges. Explicitly manage trust zones in the software. || || |
|Architecture and Design ||Separation of Privilege ||Follow the principle of least privilege when assigning access rights
to entities in a software system. || || |
| || ||Consider following the principle of separation of privilege. Require
multiple conditions to be met before permitting access to a system
resource. || || |
|CWE-269 ChildOf CWE-901 ||Category ||CWE-888 || |
- CVE-2001-1555 : Terminal privileges are not reset when a user logs out.
- CVE-2001-1514 : Does not properly pass security context to child processes in certain cases, allows privilege escalation.
- CVE-2001-0128 : Does not properly compute roles.
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
|PLOVER || ||Privilege Management Error || |
- Michael Howard David LeBlanc John Viega .24 Deadly Sins of Software Security. McGraw-Hill. Section:'"Sin 16: Executing Code With Too Much Privilege." Page
243'. Published on 2010.
- Mark Dowd John McDonald Justin Schuh .The Art of Software Security Assessment 1st Edition. Addison Wesley. Section:'Chapter 9, "Dropping Privileges Permanently", Page
479.'. Published on 2006.